CVE-2017-16355

Name of the Vulnerable Software and Affected Versions Phusion Passenger versions 5.1.10

Description The issue allows an attacker to list the contents of arbitrary files on a system by creating a symbolic link from the REVISION file in the application root folder to a file of choice and then querying passenger-status --show=xml. This can potentially lead to unauthorized access to confidential data. The vulnerability is related to the REVISION file and can be exploited when Passenger is running as root.

Recommendations For Phusion Passenger version 5.1.10, update to Passenger Open Source 5.1.11 or Passenger Enterprise 5.1.10 to resolve the issue. As a temporary workaround, consider restricting access to the passenger-status command and limiting the ability to create symbolic links in the application root folder.